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(54) Method and system for evaluating Information security 

(57) A method and system for evaluating informa- 
tion security arid developing an effective information . v 
security infrastructure for an entity makes use of ah 
information security evaluation model having,' for exam- 
ple, f ive levels with varying characteristics which explain' 
where the entity stands with regard to threats and vul- 
nerabilities to its information security at any point in^ 
time. The evaluation can be performed manually or 1 ' 
automatically by a computer pr ogram running, -on a 
^comrxrter, sucn as a personal computer ana includes, 
for example, identifying one' or more information \ 
resources of the entity, receiving information about one 
or more information security characteristics for the iden- 
tified resource, categorizing the information security 
characteristic or characteristics according to a pre- 
defined hierarchy of risk levels, and assessing a degree 
of business risk for the' entity based on the categoriza- 
tion. 
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Description 

CROSS REFERENCE TO RELATED APPLICATIONS 

[0001] This application claims the benefit of US. 
Provisional Application No. 60/107,464 f iled Noverrfrer 
6, 1998. 

FIELD OF THE INVENTION 

[0002] The present invention relates generally to 
the field of evaluating information security, and, in par- 
ticular, to a method and system for evaluating and 
developing an effective information security infrastruc- 
ture. 

BACKGROUND OF THE INVENTION 

[0003] Organizations of all sizes, for example, small 
businesses, as well as large businesses, are currently 
at varying levels of security with respect to information 
systems, such as their computer systems and networks, 
which present varying levels of business risk in their 
daily operations. Generally, such organizations have no 
effective way to determine whether they are information ^ 
security astute, and whether they have the proper pro- 
grams and services in place to be considered astute 
regarding the security of their information. Further, even 
if they have some systems in place to deal with inci- 
dents which may compromise the security of their infor- 
mation, they have no effective way to guarantee 
whether they are in a highly alert state of readiness or 
simply a mediocre state of readiness if such an incident 
occurs. Nor do they have an effective way to evaluate 
whether particular programs which may be in place are 
in place at the optimum point to deal with such inci- 
dents. 

[0004] Many of such entities operate under the mis- 
taken assumption that their information is secure or, for 
example, that an intruder or hacker would not be moti- 
vated to try to gain access to their information systems. 
Likewise, many such entities mistakenly assume that 
their employees are aware of and in compliance with the 
entities' requirements for maintaining and working in a 
secured environment relative to the entities' information 
systems. Such entities operate under the assumption, 
but without any assurance, that information relative to 
their products and services is confidential and will 
remain confidential. They assume that their level of risk ' 
for a security breach slow; when indeed the level of risk 
of such a breach may be very high. Such unwarranted 
assumptions themselves create an additional level of 
business risk. 

[0005] Various attempts have been made to 
address the problems associated with evaluating and. 
developing effective information security infrastructures 
at different levels of businesses with different levels of 
sophistication using various levels of technology. Some 4 



of such attempts work in some parts of business, and 
others work on information technologies only. Some are 
paper-based. However, none have been particularly 
successful or effective in encompassing, defining, and 

5 classifying vulnerabilities, risk, and threats and provid- 
ing information security infrastructure solutions at all 
levels of business and technology. 
[0006] There is a current need to provide a rela- 
tively simple and .efficient method and system for evalu- 

10 ating existing information security and for developing an 
effective information security infrastructure 

SUMMARY OF THE INVENTION 
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[0007] It is a feature and advantage of the present 
invention to provide a method and system for evaluating 
and developing an effective information security infra- 
structure which defines a set of controls for.assessing, 
and compensating for vulnerabilities in each organiza- 
tional component such as technology and business 
processes. 

[0008] It is a .further feature and advantage of the 
present invention to provide a method and system for 
evaluating and developing an information security infra- ' 
structure which furnishes a means for defining and das- ' 

fijfyinfj Ihft rigflTeq pf risk associated yftfr jfThrmafa^ 

asseW; where the risk is defined as the economic value, 
worth or exposure or the reputatiorial impact of An infor- 
mation asset 

[0009] It is another feature and advantage of the 
present invention to provide a method ancj system for< 
evaluating and developing an information security infra- 
structure which assists an organization in determining, 
the nature of threats or vulnerability to the organiza- 
tion's information systems. 

[0010] It is an additional feature and advantage of 
the present invention to provide a method and system 
for evaluating and developing an information security 
infrastructure which affords.t^tefor assessing and ana- 
lyzing the impact'of threats to an organization's informa- 
tion systems and recommends finhifions t n-deat-wttrK 
such threats.* 

[0011] To achieve .the stated and other features, 
advantages, and objects, an embodiment of the present 
invention method and system for evaluating information 
security for-an entity which makes use of an information , 
security evaluation model grid having; for example, jive / 
drffej^nt^Jevels~with_ ^^ characteristics which 



egteinjfld3eie_ ttie entity 



with regard to informa- 



50 tion security risks at any given time. The method and 
system tor an embodiment of the present invention * 
includes, for example, jjleittifyjn g one or rnor eJnformaV 
tion secu rit y resources rejated to an information secu — 
.ritylareajof the ' entity, /such as an organizational % Y . 
environment area"., a business commitment area a pfol 1 
Jj&and standards area, and an^ntormation securitypro^ 
grams and service area of [the 'entity. The identification v 
can be performed either manually or can be received on 
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a computer program running on a computer, such as a 
personal computer. 

[0012] In the method and system for an embodi- 
ment of the present invention, the information resources 
related to the organizational environment area of the 
entity relates, for example, to one or more corporate 
structure resources and responsibility and accountabil- 
ity resources. The business commitment area of the 
entity relates, for example, to one or more management 
resources, funding resources, incident management 
resources, awareness and education resources, opera- 
tions resources, information ownership resources, and 
informatio n classification resources. T he' policy and 
area of the entity relates, for example, to one 
or more existence and maintenance resources and 
enforcement and measurement resources. The infor- 
mation security programs and services area of the 
entity relates, for example, to one or more prevention 
resources, detection resources, and • verification^ 
resources. J 

[0013] In the method and system for an embodi- 
ment of the present invention, information is received 
about one or mo re information security characteristics 
foT th^ideT^ieci'information se curity resource which is A 
* A indicative of a pre-defined risRlevel for the information 
fo£ secunty lQie entity and- which also indicates a pre^ 
defined level of readiness of the entity to deal with a risk r 
to the information security of the entity. The pre-defined^ 
levels of readiness include, for example, a complacent 
level of readiness, an acknowledgment level of readi- 
ness, an integration level of readiness, a common prac- 
tice level of readiness, and a continuous improvement 
level of readiness. Likewise, the information c^Lbfi- 
gathered and received manually or can be received by 
entering on the computer program running on a compu^ 
frier, such as a personal computer 
[0014] In the method and system for an embodi- 
ment of the present invention, the complacent level of " 
readiness is characterized by a propensity of the 1 entity 
to resignation to the current information security envi- 
ronment of the entity The acknowledgment level of 
readiness is characterized by a propensity of the entity 
to acknowledgment of a need to improve the information 
security of the entity The integration level of readiness 
is characterized by a propensity of the entity to integrate 
existing information security programs and services of 
the entity. The common practice level of readiness is 
characterized by a propensity of the entity to customar- 
ily practice information security procedures for the 
entity. The continuous improvement level of readiness is 
characterized by a propensity of the entity to continu- 
ously improve information security practices for the 
entity. 

[0015] In the method and system for an embodi- 
ment of the present invention, the information security 
characteristi c or characteristics are categorized accord- 
ing to a pre-defined hierarchy of the information security 
risk levels that are associated with various information 



^seojrity characteristic apH which are also indicative of 
Jhe pre-defined levels of reacjiness of the entity to deaf 
wjtbajis k to th e information security of t he entity. A gain, 
the categorization can be performed manually or auto- 
matically by the computer program running on the com- 
puter, such as a personal computer. Further, the- 
categorized information security characteristic or char- 
acteristics can be weighted either manually or automat- 1 
ically~ by the computer program and ' recategorized 
manually or by the comptiffir pmgram 
[0016] In the method and system for an embodi- 
ment of the present invention, the categorized , or 
weighted and recategorized information security char- 
acteristic or characteristics are used as the basis for an 
assess ment of the degre e of business risk for the entity^ 
~p?ne assessment can oe perrormed either manually or 
Lautomatically by the computer program. Another aspect 
/ for an embodiment of the present invention includes, for , 
example, selection of the entity for which to evaluate the 
information security, for example, from a unit level entity, 
a business level entity, or an organization level entity. A 
further aspect for an embodiment of the present inven- 
tion includes, for example, assigning an evaluation team 
for the selected entity. An additional aspect for an 
embodiment of the present invention includes, for exam- 
/Ple, generating a recommendation for, a security 
improvement based at least in part on the assessed 
' depree of business risk and at least in part nn the fret 
of the security improvement 

30 

BRIEF DESCRIPTION OF THE ATTACHMENTS 
[0017] 

Figs. 1 through 5 show a grid which illustrates an 
example of five levels of information security for the 
information security evaluation model for an 
embodiment of the present invention; and 
Fig. 6 is a flow chart which illustrates and example 
of the process of evaluating the information security 
infrastructure for an entity using the information 
security evaluation model grid of Figs. 1 through 5 
for an embodiment of the present invention. 

45 DETAILED DESCRIPTION OF THE INVENTION 
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[0018] Referring now in detail to an embodiment of 
the present invention, an example of which is illustrated 
in the accompanying drawings, the system and method 
so for an embodiment of the present invention makes use 
of ail information security evaluation model having, for 
example, five different levels with varying characteristics 
which explain where an organization is with regard to 
threats and vulnerabilities to its information security at 
55 t any given point in time. The five levels of the ISEM cor- 
. respond generally to how ready an orqanizatio nis_to 
deal with an incident, such as. an intrusion into the 
organization's information system by a hacker. '1. 
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[0019] Figs. 1-5 show a table or grid 2 which illus- 
trates an example of five levels of information security 
(IS) for the information security evaluation model. 
(IS EM) for an embodiment of the present invention. 
Referring to Figs. 1 -5, the first level 4 of the ISEMgrid 
2 is complacency, which defines an organization that is 
contented or resigned to its current environment The 
first level 4 characterizes an organization, for example, 
that is contented, satisfied, or resigned to the current 
environment At the first level 4, existing circumstances 
are accepted with an attitude' of "If it's not broken, dont 
fix it." 

[0020] In an embodiment of the present invention, 
complacency at the first level 4 of the ISEM grid 2 is 
characterized, for example, in that existing programs 75 
and services are perceived as sufficient Generally, sys- 
tem availability requirements are understood, and fail- 
ure to provide adequate security is viewed as an 
'operations only* issue. Some threats are known, but are 
not analyzed or understood . Protection is seen as a 20 
function of the physical fadfityTand safeguards are 
physical network components mat are usually installed 
I in an ad hoc manner. In formation assets are not conskT 
ered as separate entities requiring security, and IS is not 
formal and consists mainly of systems administrators, 25 
information systems administrators, or quality assur- 
ance" and/br compliance units. The requirement for 
passwords/user identifications may or may not be a 
commonplace "occurrence, and directory set ups of 
"read," "write," and "share" are known but may not be 30 
fully understood. A help desk is used to report incidents 
with no escalation, and incidents may or may not be 
resolved. Also, at the first level 4, IS incidents are . 
viewed as "someone else's problem," and IS policies 
and standards are minimal, and may or may not be doc- 3S 
umented. .. . s 

[0021] The consequences to an organization of 
complacency at the first level 4 of the ISEM grid 2 for an 
embodiment of the present invention include, tor exam- 
ple, no ownership of irrformation or sense of awareness 40 
of IS. The organization is not in a state of alertness or - 
readiness, and IS budgets are typically small or non- - 
existent Information owners do not exist, and responsi- 
bility and/or authorization is lacking. Information is not > 
classified, and there is no relationship to business risk. 45 
Security incidents are not reported and tracked as such 
and are managed as crisis events. In addition, at the 
first level 4, audit controls and process and procedures 
are built around complacent characteristics. 
[0022] In an embodiment of the present invention, so 
with complacency at the first level 4 of the ISEM grid 2 
for an embodiment of the present invention, the 
response of the organization to an IS incident is reac- 
tionary. For example, if someone breaks into the organ- 
ization's network or server and steals the organization's ss 
confidential documentation, a first level 4 or complacent > 
organization initially takes a long time to determine 
whether such a break-in has indeed occurred. The 



organization may not be aware of the break-in for an 
extended period of time. When the organization finally 
learns of the break-in, it has no mechanism for reporting 
or responding to the break-in. Such an organization 
5 does not usually have any budgeted dollars with which 
to employ someone to help deal with the break-in, so it 
has a high impact on the organization. Such a reaction- 
ary response to an information security breach is 
expensive, and usually the organization's management 
10 at the first level 4 over-reacts or perhaps becomes 
panic-stricken. 

[0023] Referring further to Figs. 1 - 5, the second 
level 6 of the ISEM grid 2 for an embodiment of the 
present invention, is acknowledgment which is repre- 
sented by an organization whose management 
acknowledges that perhaps they need to do something 
to work in a more secure environment for IS. At the sec- 
ond level 6, change and validation of IS requirements is 
accepted, and management understands risk as it per- 
tains to IS. 

[0024] In an embodiment of the present invention, 
at the acknowledgment or second level 6 of the ISEM 
grid 2, some of the business people within the organiza- 
tion realize that there are risks pertaining to the organi- 
zation's information security and are willing to allocate 
money to try to avoid such risks. They are also willing to 
implement at least some monitoring tools or training of 
at least some of their employees for the purpose. At the 
second level 6, they are beginning to become more alert 
to the fact that an information security breach can hap- 
pen. 

[0025] Characteristics of the acknowledgment or 
second level 6 of the ISEM grid 2 for an embodiment of 
the present invention include, for example, a realizati on 
-that a "silo" approach will not won^ ttjaja Jocused IS 
program and IS organization is required, andthat extstZT 
ing IS processes are fragmented. Additional character- 
istics of acknowledgment at the second jevei 6 include, 
for example a realization that information assets must 
be owned in a concept of Information ownership" and 
that information must be "classified" as a function of risk . 

to thebusiness unit ; : 

16626] utner characteristics of the acknowledgment 
or second level 6 of the ISEM grid 2 for an embodiment 
of the present invention include, for example, that man- _ 
agement is willing to allocate funds for IS products and . 
systems, which is usually operations oriented at this 
level. Management also realizes that IS is needed, and * 
a corporate IS officer has been assigned or is being 
considered. While IS professionals are assigned, they 
are usually operations staff at this level. Incidents are 
still reported through a help desk, but escalations are 
refocused. IS organizations receive reports of incidents 
from the help desk as a function of the escalation chain. 
At the second level 6, some response teams are being 
built within the business units and the IS organization, 
and reporting of business level IS activities to senior 
management exists but is sporadic. 
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[0027] The results for an entity at the acknowledg- 
ment or second level 6 of the ISEM grid 2 for an embod- 
iment of the present invention include, for example, that 
"silos" particular to IS between groups begin to cfmin- 
ish. IS requirements are mandated, but process and ' 5 
programs to manage them are not yet built. Ad hoc 
requests for IS status is made by management to line 
managers, pressure to make business managers more 
accountable for IS comes from the top, down, and IS 
topics begin to appear on management meeting agen- w 
das. In addition, at the second level 6, accountability for 
information assets may be assigned to a person, and 
the level or protection required for information assets is 
considered when making decisions. 
[0028] Other results for an entity at the acknowledge is 
merit or second level 6 of the ISEM grid 2 for an embod- 
iment of the present invention include, for example, that 
budgeted dollars are spent on high priced security tech- 
nologies, which are usually data center centric. The 
blame for incidents, system failures, or availability shifts 20 
between operations arid information security providers, 
and attention to incident management increases. Addi- 
tionally, at the second level 6, end user productivity can 
be effected by IS safeguards mandated to protect cor- 
porate assets, and the organization begins to move 25 
towards an alert state, although it is not yet in a readi- 
ness state. 

[0029] Referring still further to Figs. 1- 5. the third 
level 8 of the ISEM grid 2 for an embodiment of the 
present invention is integration, in which an organize- 30 
tion's management takes any existing programs and 
services that are already in the organization and inte- 
grates them or penetrates them down into all levels of 
the business so they work in concert together. In an 
organization at the' third level 8, IS requirements across 35 
corporate boundaries are accepted, and threats and 
vulnerabilities are understood, as well as a requirement 
for cross functionality. 

[0030] At the integration or third level 8 of the ISEM 
grid 8, for an embodiment of the present invention, there 40 
is a state of readiness, because information security t 
requirements are integrated between the levels and the " 
businesses, andjgggpte know what toAjapdJgwJo^ 
j^spor^to.aninformation securrtyjreach. For example, 
when an incident occurs, they know not to publicize it *s 
because publicity can cause damage to the organiza- 
tion's reputation. At the third level 8, they know to report 
the incident to the appropriate security officer, which 
has been designated beforehand. 

[0031] Characteristics of an organization at the inte- so 
gration or third level 8 of the ISEM grid 2 for an embod- 
iment of the present invention include, for example, that 
management realizes that IS adds value to the organi- 
zation, and there is a general acceptance of an organi- 
zation-wide, standards based, IS infrastructure. An IS ss 
infrastructure is designed to penetrate afl business enti- 
ties and levels, and a centralized corporation IS office or 
officer is established, funded, and staffed, and granted 



authority over IS matters. Senior level information own- 
ers with responsibility are identified, and information 
assets are assigned sponsors with authority at the busi- 
ness, customer, and/or user level. At the third level 8, 
information has been and/or is being classified based 
on business risk, and an organization-wide process 
relationship exists for reporting incidents. 
[0032] Other characteristics of an organization at 
the integration or third level 8 of the ISEM grid 2 for an 
embodiment of the present invention include, for exam- 
ple, that organization-wide process relationships exist 
for responding to incidents, for disseminating security 
alerts or threat management, and for certifying security 
products. Virus reporting is centralized, and a security 
building permit process is part of the application/product 
development Irfecycle. A process relationship exists 
between the security incident response teams, busi- 
ness incident response teams, and organization fraud 
entities, and IS vulnerability assessment tools are made 
available to the business units. At the third level 8, all 
new hire packages include an IS package and training 
schedule, IS training programs are available, and IS 
metrics are collected, analyzed, and used to make deci- 
sions. 

[0033] The results for an entity at the integration or 
third level 8 of the ISEM grid 2 for an embodiment of the 
present invention include, for example, that prod- 
uctsfapplications are delivered with appropriate levels of 
security, end users can more readily identify reportable 
incidents, and mutually beneficial process relationships 
exist between the business units. IS metrics are used 
for decision making, trending, and threat management, 
IS becomes process driven, and IS is managed verti- 
cally from the top, down and horizontally or cross "silo." 
IS programs and services are being designed to meet 
corporate requirements, IS practices are mandated, 
and accountability for information assets are assigned 
to the "right peopla" JSjyulnerabilrty assessmente jje— 
being incorporated in the business unit's self-assess-, 
ment process, ^rjanpation-assal s are being classified 
as a function of risk, and information ownership isomni-* 
orient. The organization at the third level 8 is in an 
alert state and is moving towards a readiness state. 
[0034] Referring again to Figs. 1 - 5, the fourth level 
1 0 of the ISEM grid 2 for an embodiment of the present 
invention is common practice,' which means that there < 
has been a culture switch within the organization and 
that providing IS programs and services is a common' 
practice of the organization. For example, it becomes a 
common practice for employees to password their work- 
stations, to turn their equipment off at night, to take IS ' 
precautions when traveling, to lock away confidential 
documentation. Off-site storage is provided for confi- 
dential documentation. At the third level 10. such IS. 
actions become common practice. Employees think 
about IS at all times. In an organization at'the third level 
10. IS requirements reach the business entity level as 
daily business procedures. IS practices are widespread 
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throughout the corporation, and IS practices become an 
habitual occurrence. 

[0035] In an organization at the fourth level 10 of 
the ISEM grid 2 for an embodiment of the present inven- 
tion, information security is a common practice. People 5 
knew what to do and money is budgeted for information 
security. Information security is a part of buikfing the 
organization's applications and products. The common 
practice characteristics of an organization at the fourth 
level 10 include, for example, that the integration of IS io 
programs and services with the business unit's is com- 
plete. Management actively and visibly participates in 
the IS programs and services, the IS infrastructure is 
established, IS policy and standards are established, 
understood, and implemented, and the practice of IS is is 
considered dairy. 

[0036] In an organization at the fourth level 10 of 
the ISEM grid for an embodiment of the present inven- 
tion, information classifications are based on business 
risk analysis, incident reporting is centralized and 20 
focused, business incident response teams are built 
and a process relationship exists between the business 
incident response teams and a security incident 
response team. Virus incidents are tracked and 
reported, IS metrics are available at the business level, 25 
and business level IS officer resource allocation is opti- 
mized. At the fourth level 10, IS product certification is 
ongoing, and management meetings include IS aware- 
ness agenda items. 

[0037] The results for an organization at the com- 30 
mon practice or fourth level 10 of the ISEM grid 2 for an 
embodiment of the present invention include; for exam- 
ple, that IS is a common business practice, and there is 
consistency in IS products. IS programs and services 
are interactive, there is routine corporate wide IS report- 35 
ing, and mutually beneficial relationships exist between 
the organizational units. There is consistency in corpo- 
rate IS initiatives. IS programs and services reflect the 
organization's environment, the organization under- 
stands its vulnerabilities, and virus incident trending. 40 
tracking, and reporting is available. At the fourth level 
10. the organization is in an alert state, as well as a 
readiness state. 

[0038] Referring once again to Figs. 1 - 5. the final 
or fifth level 12 of the ISEM grid 2 for an embodiment of 45 
the present invention is continuous improvement, in 
which an organization for which IS culture has become 
a common practice, looks continually at technologies for 
improving the security of information, and works with 
those technologies to continuously improve the IS envi- so 
ronment within the organization. In an organization at 
the fifth level 12, IS practices are a proven corporate 
benefit and quality state with a corresponding increase 
in productivity and value, and IS becomes a part of the 
brand. 55 
[0039] In an embodiment of the present invention, 
at the continuous improvement or fifth level 12. the 
organization is in a highly alert state with regard to IS 



and ready to deal with any incident, such as a hacker. 
When such an incident occurs, response teams are 
ready to go into place and resolve the problem. An 
organization that is at the fifth level 12 continuously 
monitors the threats to its IS out in the marketplace and 
is able to evaluate how the threats affect the organiza- 
tion and then make changes based on those threats. 
Such an organization looks at more cost-effective alter- 
natives than what it currently has in place. The organi- 
zation frequently re-classifies its information based on 
various risks. It changes its policies and standards to 
reflect changes in technology or changes in its classifi- 
cation of information. An organization at the fifth level 12 
does such things relatively quickly. Implementation 
cycles are designated in Web years, which is usually 
about three months. At the fifth level 12, IS activities are 
encouraged in the organization. 
[0040] An organization at the fifth level 12 of the 
ISEM grid 2 for an ernbocfiment of the present invention 
has IS programs and services that are planned and rou- 
tine. IS is something that happens as part of the plan- 
ning and strategic planning processes of the 
organization. The products that emanate from an organ- 
ization that reaches the continuous improvement or fifth 
level 12 are trusted products, and buyers of such prod- 
ucts know the products can be trusted. IS is considered 
part of the organization and becomes part of the culture 
of the organization. In an organization at the fifth level 
12, IS is something that people within the organization 
deal with every day, and knowledge that the organiza- 
tion gains is shared throughout the organization. 
[0041] In an organization at the fifth level 12 of the 
ISEM grid 2 for an embodiment of the present invention, 
IS program and service initiatives are at a much higher 
level and function across organizational lines. In the 
event of an IS incident the response is quick, and eve- 
ryone knows what to do, which usually results in savings 
of money to the organization. There is a mechanism in 
place for reporting incidents back to management An 
organization at the fifth level 12 is constantly alert to 
information security risks, and the organization is ready 
to handle such risks, which minimizes losses. 
[0042] Characteristics of an organization at the con- 
tinuous improvement or fifth level 12 for an ernbocfiment 
of the present invention include, for example, continual 
reevaJ nation of threats based on changing threat popu- 
lation and security incidents, and additional or more 
cost effective alternatives are continually identified. 
Information classification is continually reviewed for 
optimal risk/security benefits, IS policies and standards 
are continually reviewed for completeness and applica- 
bility, and implementation cycles are in Web years. IS 
technical research activities are encouraged to be con- 
sistent with rapidly changing environments, IS programs 
and services are planned, budgeted, and routine for 
security economics, and the organization is known for 
providing trusted products. In an organization at the fifth 
level 12. IS is considered an integral component of the 
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organization's internal controls, the practice of IS is con- 
sidered a component of the corporate culture and is 
second nature, and knowledge is shared. 
[0043] The results of the continuous improvement 
or fifth level 12 of the ISEM grid 2 for an embodiment of 
the present invention include, for example, that IS proc- 
ess improvement is continuous through program and 
service initiatives, cross level and cross functional par- 
ticipation, and the sharing of knowledga Incidents are 
responded to with corrective actions, feedback to man- 
agement is consistent, prevention strategies are imple- 
mented and continuously improved. Recovery costs are 
contained, and losses are minimized and anticipated. 
An organization at the fifth level 12 is in alert state, as 
well as a readiness state. 

[0044] Referring still again to Figs. 1 - 5, the ISEM 
fa an embodiment of the present invention makes use 
of the grid 2, which includes the five levels of the ISEM, 
as well as associated process, control and facilitator 
indicator areas 14. The process, control, and facilitator 
indicator areas 14 include, for example, organizational 
environment 16, business commitment 18, policy and 
standards 20, and IS programs and services 22. The 
process and control area facilitators and indicators 14, 
such as organizational environment 16, are the features 
that determine the results, La, make each thing hap- 
pen, or indicate who determines the status or where 
each characteristic is at any particular time. 
[0045] In an embodiment of the present invention, 
the process, control, and facilitator indicator areas 14 of 
the ISEM grid 2 are areas within an organization that 
have some type of responsibility for information security. 
Within each process, control and facilitator indicator 
area 14 there is a definition. For example, organiza- 
tional environment 16 relates to corporate structure 24 
and responsibility and accountability 26. Business com- 
mitment 18 relates to management 28. funding 30, inci- 
dent management 32, awareness and education 34, 
operations 36, information ownership 38. and informa- 
tion classification 40. Policy and standards 20 relates to 
maintenance 42 and enforcement and measurement 
44. IS procedures and services 22 relates to prevention 
46, detection 48. and verification 50. 
[0046] Each of the five levels of the ISEM grid 2 for 
an embodiment of the present invention is documented 
and within each cell of the grid 2. For example, corpo- 
rate structure 24 at the first level 4 addresses existing 
programs and services that are perceived as sufficient 
and exist in silos, information security that is informal 
and consists mainly of systems administrators, the 
absence of a focused IS program or a relationship 
between business units and IS entities, and the 
absence of a readiness or an alert state of IS. For 
another example, responstoilrty and accountability 26 at 
the first level 4 addresses the absence of an IS office or 
officer, the absence of ownership of IS, the view of fail- 
ure to provide adequate IS as only an operations or 
technology issue, and the view of IS incidents as some- 
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one else's problem. 

[0047] In an embodiment of the present invention, 
the ISEM grid 2 for an embodiment of the present inven- 
tion takes all of the characteristics and puts them into 
the proper cell for the analysis and evaluation of the IS 
of an organization and does it for each process area 
within the organization. The ISEM grid 2 for an embodi- 
ment of the present invention can be used with a tool set 
on a qualitative basis without weighting, but weighting 
can serve to quantitatively def fre or refine the process 
somewhat. 

In a weighting aspect of an embodiment of 
the present invention, the ISEM grid 2 is used to weight 
and score information security by viewing each charac- 
teristic within a cell and weighting it as to its importance 
in the particular level arid computing a score. An organ- 
ization cannot gra duate from one level to the~hext levet 
u ntil jt reaches a certain score. T he weighting process is 
-arTaspect of the present invention, and the calculation 
of the level of IS is consistent, regardless of the particu- 
lar tool set that is used to evaluate the cells or evaluate 
their levels by using, for exanrple^a jJeasLorLfree, or, a„ 
cumulative process, A tool set is used by an organiza- 
tion to determine the particular level at which the organ- 
ization stands. T he characteristics within each level of 
the model can be weighted. and the results scored using 
the tool set to identify the level at which the organization 
stands. 

[0049] In an embodiment of the present invention: 
the resulting score is used by business managers within 
the organization to make a decision with regard to 
whether they are satisfied with the particular level at 
which the organization stands in respect to IS in light of 
the risk to the business of the organization. If the busi- 
ness managers within the organization find the busi- 
ness risk unacceptable, they can elect to determine, for 
example, the technology steps necessary to be taken to 
move to a higher level on the ISEM grid 2 and the costs 
associated with such steps. If the business risk justifies 
the costs, appropriate procedures can be implemented 
to move to a higher level on the ISEM grid 2. 
[0050] Fig. 6 is a flow chart which illustrates an 
example of the process of evaluating an entity's IS infra- 
structure using the ISEM grid 2 for an embodiment of N 
the present invention. Referring to Fig. 6, at S1 , a selec- 
tion is made for the particular entity for which IS to be 
evaluated. The selected entity can be, for example, a, 
unit level, a business level or the organization level. At 

52, an ISEM certified evaluation team is assigned. At 

53, the IS resources of the selected entity are identified 
from pre-defined indicators, for example, from each 
process, control, and facilitator indicator area of the 
entity, such as organizational environment 16. business 
commitment 18. policy and standards 20, and IS pro- 
grams and services 22. 

[0051] Referring further to Rg. 6, at S4, information 
is received that relates to security characteristics, for 
example, for each identified IS resource. For example, 
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questions concerning the security characteristics of 
each identified IS resource are considered and 
answered, which relate to the levels on the ISEM grid 2 
and where the entity stands on the ISEM grid 2. For the 
organization to be, for example, at the first level 4, it 5 
must meet certain criteria 

[0052] In order to get to the security characteristics, 
for example, for the first level 4 of the ISEM grid 2 for an 
embodiment of the present invention, it is necessary to 
pose and answer questions about the identified IS 10 
resources, such as whether existing IS programs are 
perceived as sufficient whether IS is informal and con- 
sists mainly of systems administrators, whether a 
focused IS program exists, whether a relationship exists 
between business units and IS entities, whether an IS is 
office or officer exists, and the like. The questions can 
be posed in any number of ways to get to the security 
characteristics, and the yes or no answers to the ques- 
tions provide the information that determines the level 
on the ISEM grid 2 at which the entity stands. 20 
[0053] Referring again to Fig. 6, at 85, the informa- 
tion about the IS characteristics of the entity is compiled 
and categorized according to a predefined hierarchy of 
IS characteristics, such as the five levels of the ISEM 
grid 2. While the compilation and categorization of the 25 
IS characteristics can be performed manually, an aspect 
of an embodiment of the present invention makes use of 
a computer software application or program referred to 
as the ISEM tool set or tool kit running, for example, on 
a personal computer (PC). The ISEM tool kit rs used to 30 
perform evaluations by the automated software applica- 
tion by process, control, and facilitator indicator area 14. , 
The ISEM tool kit automatically compiles and catego- 
rizes the results for each cell of the ISEM grid 2. 
[0054] In an additional aspect for an embodiment of 35 
the present invention, after posing and answering all of 
the questions, at S5, the ISEM tool kit optionally per- 
forms weighting, recompiles the weighted results, and— 
automatical ly determi nes the lev el within t he.lSlM_qrirl2J 
"wl jere the entity sten ttew.The ISEM toof optionally com- -40 
piles, enters and weights the results. At S6, the com- . 
piled and categorized results are presented to a 
management team for the entity, which assesses the 
results to determine whether, for example, the entity, is 
operating at a level on the ISEM grid 2 which meets the as 
entity's IS needs, based on business determined risks. . 
At S7, a recommendation is made by the management 
team, based on its assessment of the compiled and cat- 
egorized results' according to the ISEM grid 2 and the 
costs of IS program adjustments, if applicable. so 
[0055] An embodiment of the present invention 
identifies threats and vulnerabilities or the risk state of 
an organization's information and enables the organiza- 
tion to develop ah effective IS infrastructure. An embod- 
iment of the present invention defines a set of controls 55 
for assessing and compensating for vulnerabilities in> 
each organizational component, such as technology, 
business process, and the lika Ah embodiment of the 
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present invention also provides a means for defining 
arxj classifying the d egree of risk associated with infor- 
mation assets, where riskis defined as the economic 
value or degree of worth of an information asset and/or 
the economic exposure and/or reputational impact to 
the organization. Further, an embodiment of the present 
invention assists the organization in determining the 
nature of threats and exploiting vulnerabilities, provides 
tools for impact assessment and analysis, and recom- 
mends solutions. 

[0056] Although the invention has been described 
with reference to these preferred embodiments, other 
embodiments can achieve the same results. Various 
modifications of the present invention will be apparent 
to one skilled in the art, and the above disclosure is 
intended to cover all such modifications. Accordingly, 
the invention is limited only by the following claims. 

Claims 

1 . A method for evaluating information security for an 
entity, comprising: 

identifying at least one information security 
resource related to an information security area 
of the entity selected from a group consisting of 
an organizational environment area, a busi- 
ness commitment area, a policy and standards 
area, and an information security programs 
and services area of the entity; 
receiving information about at least one infor- 
mation security characteristic for the identified 
information security resource; 
categorizing the information security character- 
istic according to a predefined hierarchy of 
information security risk levels associated with 
information security characteristics; and 
assessing a degree of business risk for the 
entity based on the categorization of the infor- 
mation security characteristic. 

2. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises identify- 
ing the information security resource from one of a 
corporate structure resource and a responsibility 
and accountability resource related to the organiza- 
tional environment area of the entity. 

3. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises identify- 
ing the information security resource selected from 
a group consisting of a management resource, a 
funding resource, an incident management 
resource, an awareness and education resource, 
an operations resource, an information ownership 
resource, and an information classification 

. resource related to the business oxTTrnrtment area 
of the entity. 



8 



15 



EP0999489A2 



16 



4. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises identify- 
ing the information security resource from one of an 
existence and maintenance resource and an 
enforcement and measurement resource related to 5 
the policy and standards area of the entity. 

5. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises identify- 
ing the information security resource selected from 10 
a group consisting of a prevention resource, a 
detection resource, and a verification resource 
related to the information security programs and 
services area of the entity. 

75 

6. The method of claim 1 , wherein identifying the infor- 
mation security resource further comprises receiv- 
ing a selection of the identified information security 
resource on a computer program. 

20 

7. The method of claim 1 , wherein receiving the infor- 
mation further comprises receiving the information 
about the security characteristic for the identified 
information security resource which is indicative of 

a pre-defined risk level for the information security 25 
of the entity. 

& The method of claim 7, wherein receiving the infor- 
mation indicative of the pre-defined risk level further 
comprises receiving the information indicative of a 30 
pre-defined level of readiness of the entity to deal 
with a risk to the information security of the entity 
selected from a group consisting of a complacent 
level of readiness, an acknowledgment level of 
readiness, an integration level of readiness, a com- 35 
mon practice level of readiness, and a continuous 
improvement level of readiness of the entity. 

9. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 40 
ness further comprises receiving the information 
indicative of the complacent level of readiness 
which indicates a propensity of the entity to resigna- 
tion to a current information security environment of 
the entity. 45 

1 0. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the acknowledgment level of readiness so 
which indicates a propensity of the entity to 
acknowledgment of a need to improve the informa- 
tion security of the entity. 



11. The method of claim 8. wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the integration level of readiness which 
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indicates a propensity of the entity to integrate 
existing information security programs and services 
of the entity. 

12. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the common practice level of readiness 
which indicates a propensity of the entity to custom- 
arily practice information security procedures for 
the entity. 

13. The method of claim 8, wherein receiving the infor- 
mation indicative of the pre-defined level of readi- 
ness further comprises receiving the information 
indicative of the continuous improvement level of 
readiness indicative of a propensity of the entity to 
continuously improve information security practices 
for the entity. 

14. The method of claim 1, wherein receiving the infor- 
mation further comprises receiving the information 
at a computer. 

15. The method of claim 1, wherein categorizing the 
information security characteristic further com- 
prises categorizing the information security charac- 
teristic according to a pre-defined risk level for the 
information security of the entity. 

16. The method of claim 15, wherein categorizing the 
information security characteristic according to the 
pre-defined risk level further comprises categoriz- 
ing the information security characteristic according 
to a pre-defined level of readiness of the entity to 
deal with a risk to the information security of the 
entity selected from a group consisting of a compla- 
cent level of reacfiness, an acknowledgment level of 
readiness, an integration level of readiness, a com- 
mon practice level of readiness, and a continuous 
improvement level of readiness. 

17. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
predefined level of readiness further comprises 
categorizing the information security characteristic 
according to the complacent level of readiness 
indicative of a propensity of the entity to resignation 
to a current information security environment of the 
entity. 

18. The method of claim 16. wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises 
categorizing the information security characteristic 
according to the acknowledgment level of readi- 
ness incficative of a propensity of the entity to 
acknowledge a need to improve the information 
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security of the entity. 

19. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises s 
categorizing the information security characteristic 
according to the integration degree of readiness 
indicative of a propensity of the entity to integrate 
existing information security programs and services 
of the entity. 

20. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises 
categorizing the information security characteristic 
according to the common practice level of readi- 
ness indicative of a predisposition of the entity to 
customarily practice information security proce- 
dures for the entity. 

21. The method of claim 16, wherein categorizing the 
information security characteristic according to the 
pre-defined level of readiness further comprises 
categorizing the information security characteristic 
according to the continuous improvement level of 2s 
readiness indicative of a propensity of the entity to 
continuously improve information security practices 

for the entity. 

22. The method of claim 1, wherein categorizing the 30 
information security characteristic further com- 
prises categorizing the information security charac- 
teristic by a computer progam. 



ing the degree of business risk based on the cate- 
gorization of the information security characteristic 
according to a pre-defined risk level for the informa- 
tion security of the entity. 

28. The method of claim 27, wherein assessing the , 
business risk based on the categorization of the 
information security characteristic further com- 
prises assessing the business risk based on the 
categorization of the information security character- 
istic according to a predefined level of readiness of 
the entity to deal with a risk to the information secu- 
rity of the entity selected from a group consisting of 
a complacent level of readiness, an acknowledg- 
ment level of readiness, an integration level of read- 
iness, a common practice level of readiness, and a 
continuous improvement level of readiness. 

2a The method of claim 28, wherein assessing the 
business risk further comprises assessing the busi- 
ness risk based on the categorization of the infor- 
mation security characteristic according to the 
complacent level of readiness indicative of a pro- 
pensity of the entity to resignation to a current infor- 
mation security environment of the entity. 

3a The method of claim 28, wherein assessing the 
business risk further comprises assessing the busi- 
ness risk based on the categorization of the infor- 
mation security characteristic according to the 
acknowledgment level of readiness indicative of a 
propensity of the entity to acknowledge a need to 
improve the information security of the entity. 
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23. The method of claim 22, wherein categorizing the 3s 31. The method of claim 28, wherein assessing the 
information security characteristic further com- business risk further comprises assessing the busi- 
prises weighting the categorized information secu- ness risk based on the categorization of the infor- 
rity characteristic. mation security characteristic according to the 

integration level of readiness indicative of a propen- 

24. The method of claim 23. wherein weighting the cat- 40 sity of the entity to integrate existing information 
egorized information security characteristic further security programs and services of the entity, 
comprises automatically weighting the categorized 

information security characteristic by a computer 32. The method of claim 28, wherein assessing the 

program. business risk further comprises assessing the busi- 

45 ness risk based on the categorization of the infor- 

25. The method of claim 24, wherein weighting the cat- mation security characteristic according to the 
egorized information security characteristic further common practice level of readiness indicative of a 
comprise recategorizing the weighted information propensity of the entity to customarily practice infor- 
security characteristic. mation security procedures for the entity. 

50 

26. The method of claim 25, wherein recategorizing the 33. The method of claim 28, wherein assessing the 
weighted information security characteristic further business risk further comprises assessing the busi- 
comprises automatically recategorizing the ness risk based on the categorization of the infor- 
weighted information security characteristic by a mation security characteristic according to the 
computer program. ss continuous improvement level of readiness indica- 
tive of a propensity of the entity to continuously 

27. The method of claim 1. wherein assessing the improve information security practices for the entity, 
degree of business risk further comprises assess- 
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34. The method of claim 1, wherein assessing the busi- 
ness risk further comprises automatically assess- 
ing the business risk by a computer program. 

35. The method of claim 1 , further comprising selecting s 
the entity for which to evaluate the information 
security. 

38. The method of claim 35, wherein selecting the 
entity further comprises selecting the entity from io 
one of a unit level entity, a business level entity, and 
an organization level entity. 

37. The method of claim 1 , further comprises assigning 

an evaluation team for the selected entity. is 

38. The method of claim 1 , further comprising generat- 
ing a recommendation for a security improvement 
related to the information security characteristic 
based at least in part on the assessed degree of 20 
business risk. 

39. The method of claim 38, wherein generating the 
recommendation further comprises generating the 
recommendation for the security improvement 25 
based at least in part on the cost of the security 
improvement 

40. The method of claim 39, wherein generating the 
recommendation further comprises automatically 30 
generating the recommendation by a computer pro- 
gram. 



42. The system of claim 41, wherein the identifying 
means further comprises means for receiving a 
selection of the identified security information 
resource. 

43. The system of claim 42, wherein in the means for 
receiving the selection further corrprises a compu- 
ter propjam. 

44. The system of claim 41, wherein the means for 
receiving the information further comprises a com- 
puter program. 

45. The system of claim 41, wherein the means for cat- 
egorizing the information security characteristic fur- 
ther comprises an information security evaluation 
model grid. 

46. The system of claim 41 , wherein the means for cat- 
egorizing the information security characteristic fur- 
ther comprises a computer program. 

47. The system of claim 41, wherein the means for 
assessing the degree of business risk further com- 
prises an information security evaluation model 
grid. 

48. The system of claim 41, wherein the means for 
assessing the degree of business risk further com- 
prises a computer program. 



41. A system for evaluating information security for an 
entity, comprising: 35 

means for identifying at least one information 
security resource related to an information 
security area of the entity selected from a 
grotp of security areas consisting of an organ- 40 
izational environment area, a business commit- 
ment area, a poficy and standards area, and an 
information security programs and services 
area of the entity; 

means associated with the identifying means as 
for receiving information about at least one 
information security characteristic for the iden- 
tified information security resource; 
means communicating with the receiving 
means for categorizing the information security so 
characteristic according to a pre-defined hier- 
archy of information security risk levels associ- 
ated with information security characteristics; 
and 

means associated with the categorizing means ss 
for assessing a degree of business risk for the 
entity based on the categorization of the infor- 
mation security characteristic. 
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